• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 451
  • Last Modified:

iptables setup

Hi All,

I am very new to iptable, I want to setup it secure my redhat 9.0.
I want to allow the following services/ports:

22 -- SSH
3366 -- MySQL

Outbound ports (tcp)

25 - SMTP
110 - POP services
143 - IMAP
783 - Spamassassin
993 - IMAPS

Inbound Ports (tcp)

25 - SMTP
80 - HTTP
110 - POP services
143 - IMAP
443 - HTTPS
783 - Spamassassin
993 - IMAPS



How can I setup it? please explain  each line too.

Thank you.

Stanley

0
stanleyhuen
Asked:
stanleyhuen
  • 8
  • 4
  • 4
  • +1
3 Solutions
 
ahoffmannCommented:
hmm, man iptables isn't that bad ;-)

iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INSERT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
# and so on ...
0
 
stanleyhuenAuthor Commented:
thx ahoffmann,

can you give a simple sample script just for port 80?


then i can follow it to allow other ports.

Thank you.

Stanley
0
 
ahoffmannCommented:
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
# to be improved in many ways ...

BTW, please correct my typo in previous mail: INSERT should be INPUT
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
stanleyhuenAuthor Commented:
thx ahoffmann,
however, when i run the following commands remotely:
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP

the server is disconnected, i have to reboot the server, which is placed in data centre.

What is the problem?

Thank you.

Stanley
0
 
ahoffmannCommented:
> however, when i run the following commands remotely:
for shure, you cut the connection then

You either have to use a console login, or use a script like:

remote-prompt% (/path/to/stop-firewall-script;/path/to/start-firewall-script)

Again: firewall and iptables is not a try&error thing, you need to know what you do
   man iptables
0
 
paranoidcookieCommented:
I recommend you use a premade system like monmotha

http://monmotha.mplug.org/firewall/index.php

simply edit the varibles at the head of the script chmod +x then run
0
 
ahoffmannCommented:
paranoidcookie , sorry I'd never use that script for following reasons:
  1. it opens your firewall box as router, even if the iptables settings fail
  2. it hides any messages from iptables itself, very bad bad practive for s security script :-((
  3. with missconfigurtaion (variables at the head) you have the same problem as described above

There're no advantages, just disadvantages :-(

Again: to configure a firewall, you need to know what you do, no way arround this (except you don't care about security).
0
 
paranoidcookieCommented:
Thats YOUR personal choice however I think you are both wrong and plain rude. Firstly the advantage is MANY users are testing refining and improving the security rather than  just you who by all account does nt know what you are doing. Secondly its still using iptables you can read through and see all of the iptables rules and adjust in any way you like. Its developed like all good open source aps with the benifit of the community the same sort of community you are so at home asking for help with now how hypocritical!

 "1. it opens your firewall box as router, even if the iptables settings fail"

As with Ip tables itself you need to actually check the settings work If the script fails it will almost certainly be too restrictive rather than opening your box. Plus its no worse than the default settings which is completly open

  "2. it hides any messages from iptables itself, very bad bad practive for s security script :-(("

Not at ill it has inbuilt logging options which you dont have in yout simple script so far from having less logging it has more

  "3. with missconfigurtaion (variables at the head) you have the same problem as described above"

As you say you need to understand what you are doing BUT its more difficult for you to  make a mitake with a script that has been tested and worked on by multiple users.

Clearly you didnt bother reading the link and thought you would simply attack my help well it just shows what an ignorant user you really are experts like myself aim to show you a range of possibities not just to help you but also to build a knowlage base and with you childish ignorant repsonse you debase the whole process.
0
 
ahoffmannCommented:
paranoidcookie, my comment wasn't any offence (but read yours ...)
I just gave my opinion about that script in the current context: **security** and I explained why.
Noone has to agree to my comment, it's up to you.

Back to that script:
  if it helps or not for most users isn't the major question here, but it definitely does not help avoiding the deadlock (as it occoured with my previous suggestion). That's a fact. Dot. read the script, if in doubt ...
  This script looks very sophisticated, but it has some flaws you need to be aware, otherwise it does not give you security.
  Even it is opensource, it hides messages from iptables but print its own ones, and that is bad practice. Ask the community.
  And again: when misconfigured, it opens your firewall as router, completely unsecure, someone should change that.

I don't explain about the script at all, I just explained the threats a user has when using such scripts. In particular an unexperianced
user has no choice to do it better with such scripts. Then better don't use them after changing, 'cause you never can be shure what
it protects then, and what it doesn't.
Again: no complain about the script itself, just in the context of security (see the TA).
0
 
paranoidcookieCommented:
Firstly I am very aware of what toic area I am running in and you seem to miss the point of why you wouldnt want to log every last thing, there are limits on the logging for VERY good security origented reasons like.
Excess logging can be used agaisnt sites in denial of service attacts your server wont be able to log all the packets its dropping if your dos attacked and trying to will cause if to fall over, even if you log to a different box its lickly to be overwhelmed. Logging every packet is going to make parsing the logs an unenviable choir and will hide any useful information withing a whole range of other chatter.
At some point you are going to have to use a script any compteant Iptables setup gets large and unweidy quickly unless you want to reenter all your iptblaes lines each timeyou reboot scripting is the only way.
Remember this answer is not just for it will enevtually go into the knowlage base therefore I will feel duty bound to post. The truth is for most users who do not wish to go into massive depth learning about Ip and iptables a scripted example will give far better security than a few lines of iptables code.
0
 
ahoffmannCommented:
> ..  a scripted example will give far better security than a few lines of iptables code.
agreed to that in some cases (which the questioner decides:)
Let's focus to the initial question please (no flame wars here)
0
 
paranoidcookieCommented:
There are a whole libarary of guides here

http://www.linuxguruz.com/iptables/

Expaining all sorts of tweaks in greater depth than will be achieved here
0
 
stanleyhuenAuthor Commented:
Thanks.

I have tried to use redhat's setup program to set firewall, now the iptables become:

[root@diamond root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
RH-Lokkit-0-50-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain RH-Lokkit-0-50-INPUT (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http flags:SYN,RST,ACK/SYN
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp flags:SYN,RST,ACK/SYN
ACCEPT     all  --  anywhere             anywhere
ACCEPT     udp  --  223.98.182.227       anywhere           udp spt:domain
REJECT     tcp  --  anywhere             anywhere           tcp flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
REJECT     udp  --  anywhere             anywhere           udp reject-with icmp-port-unreachable


What does it mean?
How can I add it to allow mysql connection?

Thank you.

Stanley

0
 
ahoffmannCommented:
you need a similar rule like:

ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp flags:SYN,RST,ACK/SYN

for mysql port (3306 usually) instead of 25, somewhere in your setup script
0
 
herr_apfelschnittCommented:
To prevent locking yourself out, just set the rules that allow the necessary traffic before setting default policies to DROP...
0
 
stanleyhuenAuthor Commented:
To prevent locking yourself out, just set the rules that allow the necessary traffic before setting default policies to DROP...

Sorry that I don't understand, what do you mean?

I have tried to add the above rules in my web/ftp server, my clients started to complained that they cannot ftp, or ftp very slow, what is the problem?
Will it affect the speed of the server? for web and ftp?
0
 
ahoffmannCommented:
>  .. before setting default policies to DROP
the default policy is always the last rule, when no other rule matched
You can savely set it right after flushing the rules tables.
IMHO a default policy other than DROP or REJECT is improper for anything to be used as firewall ;-)
0
 
herr_apfelschnittCommented:
Just set all your rules and finally the last thing you do, is drop all packets that did not match any of those rules (=default policy)

Example, to allow ssh:

iptables -A INPUT -p tcp --destination-port 22 -j ACCEPT

Just do this for every port you want to allow. For smtp, just replace the destination port 22 with the smtp port number, 25, as in

iptables -A INPUT -p tcp --destination-port 25 -j ACCEPT

You can do the same for the output chain (instead of --destination-port of course --source-port), though I personally think that is not really necessary. Example for ssh:

iptables -A OUTPUT -p tcp --source-port 22 -j ACCEPT


If you want to use the machine as a client as well, you will then also have to allow all ports above 1024 on the output chain:

iptables  -A OUTPUT -p tcp --source-port 1025: -j ACCEPT

Those ports are used for outgoing connections.
Now finally, we drop all incoming packets that did not have any of the allowed destination ports.

iptables -P INPUT DROP

And all outgoing packets that do not have any of the allowed source ports. (only if you set the above OUTPUT rules!)

iptables -P OUTPUT DROP

You probably also want to allow all traffic on the loopback device (this traffic doesn't come from the network, so should be safe to allow):

iptables -A INPUT -i lo -j ACCEPT

And if you used the OUTPUT chain also:

iptables -A OUTPUT -i lo -j ACCEPT


Hope this helps.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 8
  • 4
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now